Click-fraud problems

Date June 30, 2009

Looks as if Facebook are having a few issues with click-fraud.  No surprises really, every major online advertiser faces the same problems.  Just as spam followed the popularity of email, click-fraud is going to follow advertising budgets onto the web.

What I’ve found interesting in this case is who benefits from click fraud.  In the case of Google’s AdSense or the Yahoo publisher network, or the many different others, when you share the revenue of click-through’s of ads with the people that host them, there’s an incentive to drive clicks either via legitimate (increasing traffic), semi-legitimate (SEO techniques), or illegitimate (click-fraud) means.  More people going though the ads you get served up, the more money you make.  What is interesting on Facebook’s current issues is that they are hosting on their own site, and aren’t sharing revenue (well, they are with application developers, but for brevity I’ll ignore that instance as I believe it’s manageable).  So in that case, who’s doing the click-fraud and for what purpose? 

On TechCrunch there’s an excellent post on how click-fraud may be working against Facebook.  In a nutshell, advertisers are probably click-frauding each other to drive their competitors out of the market by using up their budget and/or spiking the prices. If this is actually what is happening (I’ve seen no hard evidence out there one-way-or-the-other yet from crawling around the web doing some research before putting this post up, but stealing a link from one of the TC comments there’s a lot of freelance work available out there to game the system), then it’s pretty much exactly the prisoners dilemma playing out in real life – the only winner is Facebook as they are getting revenue, but even then only over the short-term as advertisers can get pissed-off and leave (and are).  All the ad networks take quality of CTR’s seriously because it’s their bread-and-butter, but what can they do?

So, going into the main topic of my post – how do you combat click-fraud?  For the advertiser there’s advice out there on a few things they should do, but for the purposes of web security that I hope will become clear later, let’s just focus on the ad networks themselves in how they can address click-fraud.

1. Firstly, the ad delivery network (what I’ll call the “system” from now on) has to keep stats on what was served and clicked for their clients.  Any unusual spikes or patterns in these stats could cause concern (could because their may still be many legitimate reasons) and need to be investigated.  This is no different than security monitoring and historically reviewing log files to look for anomalous behavior.

2. Ads are usually targeted at users and are supposed to be in some way randomized so the user doesn’t see the same ad all the time, and multiple clicks on the same ad shouldn’t be counted if it’s from the same person.  Mostly, targeting is done geographically and/or based on characteristics of the user – age, interests, demographic, etc.  In order to access the ads the fraudsters have to be able to come off as “real” users that match those characteristics (and enough real users so that it doesn’t trigger the abnormal pattern detection, or the “real vs bot” detection that I’ll talk about below) so as to enact the clicks.  The geographic part is pretty easy – there are shared proxies and VPN solutions, public and private, that allow you to look like you are in any country you like (I use such a service sometimes to watch the BBC iPlayer and catch up on shows at home).  Obtaining legitimate users matching a demographic can be achieved either with automated sign-up tools, or simply paying low-cost labor.  This is very much the CAPTCHA arms-race we are going through now, and there’s even systems out there that will “nourish” and “grow” an account, much like a real user would add pictures, wall posts, etc, so it’s not as obvious that it’s an account used just for click-fraud and face being shut-down at some point if it’s discovered.

3. To the people gaming the system, the risk/reward ratio currently is very much in their favor, whereas the risk/reward ratio of, say, robbing a back is low – there’s a good chance of getting caught, banks often don’t lose that much money in such an incident, and the punishment if the robber does get caught is high.  In order to re-balance the risk/reward ratio, many companies are going after the perpetrators click-fraud, much like they have been know to go after spammers or hackers.  This is done in the hope that it drives the perpetrators away from the system that is going after them, or the activity in general.

4. Lastly, the system has to make a determination of what is a “real” user clicking on an ad vs. some automated program (bot).  There’s various ways this could be done – IP address, speed of viewing/clicking, browser version, referer header, cookies, etc, etc – and the method(s) are kept very close to the chest because they could all be spoofed and gamed, especially if you know what the rules are.  The corollary with webappsec here is that we have very much the same issue with session management and session hijacking – we’ve had to load something on top of HTTP (cookies) to provide state and user identification which may be spoofed so we might not have any idea who the “real” user is.  HTTP by design doesn’t support the level of user identification that would really help and I very much doubt that it ever will (based on the backlash against tracking cookies and per-machine IDs – client-side certifications would be a similar approach, although like with Intel, there’s big privacy issues to overcome), but it sure would be helpful to identify users uniquely on the web. 

So, I think that click-fraud has many parallels with web security and has some really big shared interests. However, I don’t think advertising click-throughts are ever going to be that reliable and will always have this fraud arms-race going on.  Really, advertisers aren’t interested in their ads being clicked, but what people do after they have seen them, and why Cost Per Action (CPA) is where things are heading.  Sure, there’s going to be fraud attempted there as well, but the economics are a lot more solid when you’re paying for an end-to-end transaction with a user rather than paying them just to visit some webpage.

Category Posted in Musings


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>